Configuring a CMK for data encryption in Azure Database for PostgreSQL Flexible Server
You can optionally use a Customer Managed Key (CMK) for encrypting data in the Azure Flexible Server database instance used by Cloudera.
As described in Adding a customer managed encryption key to a Cloudera environment running on Azure, by default Cloudera clusters are encrypted with server-side encryption (SSE) using Platform Managed Keys (PMK) and Cloudera allows you to provide an existing CMK for encrypting Cloudera clusters.
When using the CMK for encrypting Cloudera clusters, you can also use that same CMK for encrypting the Azure Flexible Server database instance used by Cloudera. If you would like to do this, in addition to the typical CMK prerequisites, you should create a managed identity with specific permissions and then after providing the other CMK-related parameters (CMK resource group and URL) during Cloudera environment registration on Azure provide that managed identity during Azure environment registration in Cloudera.
Azure prerequisites
You should first meet the CMK-related prerequisites described in Azure Requirements: Customer managed encryption keys (add additional credential permissions and create a key vault and vault key).
In addition to that, you should create a managed identity as described in Managed identity for encrypting Azure Database for PostgreSQL Flexible Server.
Creating an environment with a CMK for encrypting Flexible Server
Steps
Follow the usual steps for creating a Cloudera environment on Azure and make sure to do the following:
- In the Register Environment wizard, on the Region, Networking and Security page find the Customer-Managed Keys section.
- Click Enable Customer-Managed Keys.
- In the same section, under Select Resource group select the resource group where your CMK is located.
- Provide the URL of the key value where the CMK resides. This is the same as the key identifier that you can copy directly from Azure Portal.
- Under Managed identity for encryption, select the managed identity created as a prerequisite.
Updating an existing environment to add the managed identity
Steps
The steps for adding the managed identity are similar as those described in Set a CMK for an existing Azure environment, just in the Managed identity for encryption field, a managed identity should be provided in addition to the Encryption Key Resource Group and the Encryption Key URL.
The managed identity can be either added when you are adding the CMK, or can be added to an environment already configure with CMK. In the latter case, it is enough to populate the Managed identity for encryption field, the other fields are already populated.
